Reverse tunneling

A new phishing technique is keeping cybersecurity experts up at night. It’s called “reverse tunneling.” Coupled with the use of URL shorteners, hackers can sidestep the usual impediments that stop phishing campaigns. 

What is reverse tunneling?

When a user connects to the internet through a third-party, typically a VPN (Virtual Private Network), it’s called a tunnel connection. Tunnels protect the user’s privacy, and can also be used to create a secure connection to a server at work or anywhere else a user may need to go for specific content that does not, or should not, be easily accessible online. 

As the name implies, reverse tunneling does the opposite: An online service routes incoming internet traffic to a local computer, or a network of local computers. A legal reverse tunneling account lets a user turn their own computer into a place to serve content. Reverse tunneling has many legitimate applications: it can allow users to access files on their home computers and devices while traveling, or can be used as a test environment for developing online apps or websites. 

It also provides cybercriminals with a way to deploy more insidious phishing campaigns since a threat actor can send potential victims on a digital detour, avoiding online hosting providers such as GoDaddy or Google Drive where bad links can be identified and zapped.

How reverse tunneling works for phishing attacks

Phishing emails often include links to online destinations that serve copies of legitimate content to trick victims into sharing credentials and other sensitive information. The link used may be typosquatted (e.g. CapitolOneBanc.com, App1e.com), or the threat actor can use a URL shortener such as Bit.ly, which makes it impossible to see where you’re going.  

This modality is fairly easy to stop. If the cloned site linked to a phishing campaign is reported by a user, hosting platforms and search engines alike will investigate and if the link is suspect they will make it go away. 

Reverse tunneling, of course, eliminates the need for a website hosting service. By serving websites from unique machines controlled by the threat actor, any URL that is identified as malicious can be quickly duplicated and easily redeployed at a different URL address. There is no need to set up website hosting and register domain names. It’s an elegant solution to an ugly activity that targets unwitting victims every day.

Security researchers have reported large-scale phishing operations that deploy reverse tunneling to launch fresh campaigns daily by simply changing the reverse tunnel accounts and shortened URLs. This makes the attacks harder to identify, track and decommission. 

Until law enforcement and cybersecurity firms are able to find a new means of detecting and tracing these operations, the method is likely to become more widespread.

What does this technique mean for end users?

While the methods used by cybercriminals have changed, best practices for their potential targets have not: 

  • Treat any incoming email or SMS as potentially malicious. 
  • Avoid clicking any links delivered through URL shortening services.
  • Double check the sender email address on incoming messages before replying.